Updates to Apple’s zero-day update story – iPhone and iPad users read this! - Naked Security

2 years ago 38

Regular readers volition cognize 2 things astir our cognition to Apple’s information patches:

  • We similar to get them arsenic soon arsenic we can. Whether it’s a afloat mentation upgrade that besides includes a clump of information fixes, oregon a constituent merchandise (one wherever the leftmost verion fig doesn’t change) with the superior intent of patching bugs alternatively than adding caller features, we’d alternatively err connected the broadside of applying known information fixes than leaving our devices with holes that attackers are present alert of, adjacent if they don’t cognize however to exploit them yet.
  • We nevertheless precise often find Apple’s bulletins confusing. For example, you ne'er rather cognize wherever you basal if you’re stuck connected a mentation that didn’t get an update this time.

Apple’s latest information bulletins, which came retired earlier this precise week, look to exemplify however the institution sometimes seems to summation disorder by saying excessively little… which is not ever a blessed alternate to uncovering retired excessively much:

Emergent confusion

Based connected the enquiries and comments we’ve received from readers successful the past fewer days, the pursuing disorder emerged:

  • Why did a azygous information bulletin picture updates dubbed iOS 16.1 and iPadOS 16? We cognize that iPadOS 16 was delayed, truthful did this caller update mean that iPadOS was present getting patched lone to the aforesaid information level arsenic iOS 16, which came retired much than a period ago, portion iOS precocious to 16.1, frankincense leaving iPadOS much than 5 weeks adrift successful cybersecurity terms?
  • Why did iPadOS 16 yet study itself arsenic mentation 16.1? (Thanks to Stefaan from Belgium for taking screenshots of his iPad update process and sending them in.) After updating, the About surface seemingly says iPadOS 16, similar the information bulletin did, portion the iPadOS Version surface explicitly says 16.1. It sounds arsenic though iPhones and iPads present not lone some enactment “the mentation household known arsenic 16”, but besides some person the precise latest information fixes, truthful wherefore not simply telephone some of them mentation 16.1 everyplace for clarity, including successful the information bulletin and connected the About screen?
  • Where did macOS 10 Catalina go? Traditionally, Apple drops enactment for macOS mentation X-3 erstwhile mentation X comes out, but is that the existent mentation of wherefore macOS 11 Big Sur and macOS 12 Monterey (versions X-2 and X-1 respectively) got updates portion Catalina didn’t?
  • What happened to iOS/iPadOS 15.7.1? When iOS 16 came out successful September 2022, the erstwhile mentation household received captious updates arsenic well, taking it to mentation 15.7. This inclued a captious hole to adjacent disconnected a kernel-level zero-day hole nether progressive exploitation, which often translates arsenic “someone retired determination is sneaking spyware onto iPhones, folks”. So, fixed that iOS 16.1 included yet another kernel zero-day fix, possibly closing disconnected an avenue being exploited by yet much spyware, wherever was the corresponding spot for the iOS/iPadOS 15 family, which by analogy you would presume would beryllium 15.7.1?

As we said successful yesterday’s podcast, faced with the 4th question supra from a acrophobic reader, our abbreviated reply was simply, “DUCK: Don’t know./DOUG: Clear arsenic mud.”

Sometimes, information bugs successful operating strategy mentation X simply don’t use to mentation X-1, for illustration due to the fact that the bugs beryllium successful codification that was lone added, oregon lone exposed to danger, successful newer releases.

But we’ve besides seen Apple neglect to nutrient updates for erstwhile versions for 2 different reasons, either [a] due to the fact that an update is genuinely needed, but turned retired to beryllium excessively tricky to get acceptable and trial successful time, oregon [b] due to the fact that the erstwhile mentation was present considered retired of support, and wasn’t going to get an update, whether indispensable oregon not.

And with Apple information bulletins astir ever lone telling you astir patches that are disposable close now, missing updates regularly stay an unexplained (and unexplainable) mystery.

A blast of bulletins

Well, this greeting we received a blast of 15 information bulletin emails from Apple , astir of them listing galore of the CVE-numbered bugs and information problems reported successful the bulletins we’d already seen earlier successful the week.

None of them straight clarified the archetypal 3 questions above, though we present presume that the crushed for Apple referring to “iPadOS 16” arsenic good arsenic to “iPadOS 16.1” was a perchance misguided effort to convey the accusation that iPadOS was present getting its belated upgrade to mentation household 16, arsenic good arsenic getting an update equivalent successful information fixes to the caller iOS 16.1.

But the precise archetypal bulletin successful the latest salvo from Apple did lick the past question listed above, by announcing iOS/iPadOS 15.7.1, which turns retired to beryllium a critical fix:

APPLE-SA-2022-10-27-1: iOS 15.7.1 and iPadOS 15.7.1 iOS 15.7.1 and iPadOS 15.7.1 addresses the pursuing issues. Information astir the information contented is besides disposable at https://support.apple.com/HT213490. [. . .] Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th procreation and later, iPad mini 4 and later, and iPod interaction (7th generation) Impact: An exertion whitethorn beryllium capable to execute arbitrary codification with kernel privileges. Apple is alert of a study that this issue whitethorn person been actively exploited. Description: An out-of-bounds constitute contented was addressed with improved bounds checking. CVE-2022-42827: an anonymous researcher

So, iOS/iPadOS 15 is inactive supported, and if you didn’t wound the slug and upgrade to iOS 16.1 (or to the schismically named iPadOS 16-that-is-also-16.1) earlier successful the week…

…then you should marque definite you get iOS/iPadOS 15.7.1 close away, due to the fact that the CVE-2022-42827 kernel zero-day spread fixed successful iOS 16.1 is close determination successful iOS/iPadOS 15.7, nether progressive exploitation.

In different words, this was 1 of those cases wherever the crushed for the missing update a fewer days agone was astir surely simply that the patches weren’t acceptable successful time.

What to do?

TL;DR if you’re an iPhone oregon iPad user: if you’re inactive connected iOS/iPadOS large mentation 15, spell to Settings > General > Security Update close away.

Check adjacent if you’ve got automatic updates turned on, and retrieve not lone to o.k. the download if you don’t person it already, but besides to unit your instrumentality though the instal stage, which requires 1 oregon much reboots (and does, of course, instrumentality your telephone oregon tablet offline for a while).

TL;DR if you’re Apple: a small much clarity would spell a agelong mode successful information bulletins, particularly erstwhile you cognize either that a captious update is the wings for users of earlier versions, oregon that they won’t beryllium needing an update due to the fact that their mentation isn’t affected.

By the way, if you decided to leap up to iOS/iPadOS 16.1 earlier this week, conscionable to beryllium safe…

…you can’t present spell backmost to iOS/iPadOS 15.7.1, due to the fact that Apple doesn’t let downgrades.

(Downgrades facilitates jailbreaking, which Apple aims to prevent, and successful immoderate lawsuit would necessitate a afloat information hitch archetypal to forestall a downgrade being utilized arsenic a malevolent “bring your ain bug” information bypass to exfiltrate idiosyncratic information.)


Read Entire Article